What is an authentication ?
-> Authentication is the process of establishing whether a client is who or what it claims to be in a particular context. A client can be either an end user, a machine, or an application
Now when we talk about authentication , we will have to discuss about mechanisms used to authenticate a user or a process or a client.
In straight forward concept there are many ways authentication could be done
-> One time passwords
-> Challenge Response Mechanisms
-> Time based mechanisms as using SecureID (Password Generator)
This is just a snapshot of authentication mechanisms used often in world, however many new mechanisms are available to check out.
Precisely when we take a case of SecureID, RSA then we can again think of 2 Factor Authentication which relates back to our old post, where ...
-> Something You Have (Token that generates a passcode)
-> Something You Know (Pin) which is used together to authenticate a user
User puts in his ID and then uses a combination of PIN+Passcode
New emerging technology in market is RSA Adaptive Authentication
Which deals with intelligent engine and looks for various factors to determine the risk level of an entity.
It takes into account many parameters and conducts a risk assessment.
Unique risk score is assigned to each activity and users are only challenged in case of high risk activity. This helps companies to increase security without affecting users activities.
It is still in it's nascent stage but slowly gaining implementations worldwide.
Sunday, March 7, 2010
Saturday, March 6, 2010
Access Control for Data
With words terming as access control, There are few things catching up the mind.
-> Identification
-> Authentication
-> Authorization
-> Accountability
Identification could be defined as a public identity as may be EMPID which is publicly known to all in an organization but identification itself does not guarantee that the user is authenticated and authorized for a particular access.
Identification has to be associated with some mechanism to authenticate, this is where authentication mechanism comes into picture.
Users can be authenticated in ways as
-> Hardware ways using Biometric Device, RSA tokens
-> Software ways as using passwords
Authentication itself is a very big chapter to understand as there are multiple and new ways in technology to authenticate and grant resource access which we will take up later.
But for now we can know as 2 factor Authentication which is till now the best way to authenticate summed up as
-> Something user has (may be RSA token or a software token)
-> Something user knows (may be Password)
-> Something user is (may be EMPID)
2 Factor authentication deals with a person having either of the above 2 mentioned features to authenticate itself.
-> Identification
-> Authentication
-> Authorization
-> Accountability
Identification could be defined as a public identity as may be EMPID which is publicly known to all in an organization but identification itself does not guarantee that the user is authenticated and authorized for a particular access.
Identification has to be associated with some mechanism to authenticate, this is where authentication mechanism comes into picture.
Users can be authenticated in ways as
-> Hardware ways using Biometric Device, RSA tokens
-> Software ways as using passwords
Authentication itself is a very big chapter to understand as there are multiple and new ways in technology to authenticate and grant resource access which we will take up later.
But for now we can know as 2 factor Authentication which is till now the best way to authenticate summed up as
-> Something user has (may be RSA token or a software token)
-> Something user knows (may be Password)
-> Something user is (may be EMPID)
2 Factor authentication deals with a person having either of the above 2 mentioned features to authenticate itself.
3rd Trait is Availability
It is a plain simple context as the information should be available to all the intended people for read/write access as per their authorizing level so that be presented and used for the purpose it is meant for.
What is Integrity ?
The next Trait to discuss is Integrity
Integrity deals with WRITE value means, modifications of information leads to data integrity. Integrity ensures as
-> Only authorized person is allowed to modify means only person authorized to modify particular data can do that
-> Unauthorized modifications should be prevented from authorized and unauthorized users
-> Integrity has to be maintained in any form of transaction means the data which was sent should be received the way it was intended to.
A bit complex structure for Integrity but all in short and sweet, Integrity deals with the form of Data and WRITE value of Data, Read does not form a part of Integrity
Integrity goes with Private or Commercial Organizations as it deals with many hands maintaining and circulating one information. They have a open and distributed architecture and business models which leads to data modifications loosing out on integrity part.
Hence integrity is very important for Commercial Organizations
Integrity deals with WRITE value means, modifications of information leads to data integrity. Integrity ensures as
-> Only authorized person is allowed to modify means only person authorized to modify particular data can do that
-> Unauthorized modifications should be prevented from authorized and unauthorized users
-> Integrity has to be maintained in any form of transaction means the data which was sent should be received the way it was intended to.
A bit complex structure for Integrity but all in short and sweet, Integrity deals with the form of Data and WRITE value of Data, Read does not form a part of Integrity
Integrity goes with Private or Commercial Organizations as it deals with many hands maintaining and circulating one information. They have a open and distributed architecture and business models which leads to data modifications loosing out on integrity part.
Hence integrity is very important for Commercial Organizations
3 Traits in business today
Business whether profitable or no-profitable deals with 3 important traits known as CIA. i.e Confidentiality , Integrity, Availability.
The definition of these 3 might differ for all organizations as requirement differs however the core concept remains the same as Protection of Data from unauthorised use, modifications and making it available in a more transparent way to all the required members.
Lets take an example
Confidentiality might be very important for Govt Organizations as there data are accessed by limited sets of people at a certain level and might not be accessible to all or many people lower down the chain, hence it becomes evident to make the information be treated as Confidential.
Data classifies as confidential actually defines the sensitivity levels of the data means
How Sensitive the data is ?
More sensitive , less people to access and modify, hence more security is required.
Say for Govt Organization as Military, Data could be classified as
Top Secret -> Secret -> Sensitive -> Classified -> Unclassified.
The above could be an easy way to understand as to access the military documents high authority is required, So we can say .....
Confidentiality deals with accessing of information and has more of a READ value than WRITE value.
The definition of these 3 might differ for all organizations as requirement differs however the core concept remains the same as Protection of Data from unauthorised use, modifications and making it available in a more transparent way to all the required members.
Lets take an example
Confidentiality might be very important for Govt Organizations as there data are accessed by limited sets of people at a certain level and might not be accessible to all or many people lower down the chain, hence it becomes evident to make the information be treated as Confidential.
Data classifies as confidential actually defines the sensitivity levels of the data means
How Sensitive the data is ?
More sensitive , less people to access and modify, hence more security is required.
Say for Govt Organization as Military, Data could be classified as
Top Secret -> Secret -> Sensitive -> Classified -> Unclassified.
The above could be an easy way to understand as to access the military documents high authority is required, So we can say .....
Confidentiality deals with accessing of information and has more of a READ value than WRITE value.
Thursday, March 4, 2010
Companies perception to Information Secutity
Companies today have become more informed about the threats and activities that could prove critical for their survival. This activity has brought in the new trend of implementing different department as Information Security to look after the security needs of the organization. This does not mean to understand only the installation of firewalls and antivirus mechanisms but information security as a whole ranging from Physical Security to Access Mechanisms, Security Architecture, Design of organizations information flow model, applications security and operations along with following standards, compliance and security procedures.
Monday, February 22, 2010
What is an information ?
Information is a
Message which is send and received more precisely a meaningful message makes meaningful information. This is a general definition easily understood by all, but meaningful information does not mean every information has to be protected and secured.
Information needs to be classified in a way that gives a broad picture of what to protect and up to what extent to protect. Let’s define information in few steps….
- What is information
- What is the classification
- What is the context of the information
- What is the purpose of the information
- What is the resource of the information
There are many more questions which will be discussed in future blogs that make information and decide the level or classification of the information.
Levels could be defined broadly as
- Confidential
- Private
- Public
The above mentioned levels could be good and acceptable for a commercial organization but may not be suitable for any other type of organization as Govt or Military organization or even for an NGO
Subscribe to:
Posts (Atom)